[apparmor] [PATCH 07/36] apparmor: use free_profile instead of put_profile when erroring out early

John Johansen john.johansen at canonical.com
Wed May 1 21:30:52 UTC 2013 

aa_put_profile causes profiles to go throw an rcu based delayed free
cycle.  Discard profiles that can't be in use and hence don't need the delayed
free call free_profile directly.

Signed-off-by: John Johansen <john.johansen at canonical.com>
---
 security/apparmor/include/policy.h |  1 +
 security/apparmor/policy.c         | 10 +++++-----
 security/apparmor/policy_unpack.c  |  4 ++--
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 587cb28..6d2b949 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -227,6 +227,7 @@ struct aa_namespace *aa_find_namespace(struct aa_namespace *root,
 void aa_free_replacedby_kref(struct kref *kref);
 struct aa_profile *aa_alloc_profile(const char *name);
 struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat);
+void aa_free_profile(struct aa_profile *profile);
 void aa_free_profile_kref(struct kref *kref);
 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
 struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *name);
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 53a0573..5fe1559 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -307,7 +307,7 @@ fail_ns:
 	return NULL;
 }
 
-static void free_profile(struct aa_profile *profile);
+void aa_free_profile(struct aa_profile *profile);
 /**
  * free_namespace - free a profile namespace
  * @ns: the namespace to free  (MAYBE NULL)
@@ -324,7 +324,7 @@ static void free_namespace(struct aa_namespace *ns)
 	aa_put_namespace(ns->parent);
 
 	ns->unconfined->ns = NULL;
-	free_profile(ns->unconfined);
+	aa_free_profile(ns->unconfined);
 	kzfree(ns);
 }
 
@@ -568,7 +568,7 @@ void aa_free_replacedby_kref(struct kref *kref)
 }
 
 /**
- * free_profile - free a profile
+ * aa_free_profile - free a profile
  * @profile: the profile to free  (MAYBE NULL)
  *
  * Free a profile, its hats and null_profile. All references to the profile,
@@ -577,7 +577,7 @@ void aa_free_replacedby_kref(struct kref *kref)
  * If the profile was referenced from a task context, free_profile() will
  * be called from an rcu callback routine, so we must not sleep here.
  */
-static void free_profile(struct aa_profile *profile)
+void aa_free_profile(struct aa_profile *profile)
 {
 	AA_DEBUG("%s(%p)\n", __func__, profile);
 
@@ -619,7 +619,7 @@ static void aa_free_profile_rcu(struct rcu_head *head)
 	if (p->flags & PFLAG_NS_COUNT)
 		free_namespace(p->ns);
 	else
-		free_profile(p);
+		aa_free_profile(p);
 }
 
 /**
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index f47b882..69894ad 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -615,7 +615,7 @@ fail:
 	else if (!name)
 		name = "unknown";
 	audit_iface(profile, name, "failed to unpack profile", e, error);
-	aa_put_profile(profile);
+	aa_free_profile(profile);
 
 	return ERR_PTR(error);
 }
@@ -763,7 +763,7 @@ int aa_unpack(void *udata, size_t size, struct list_head *lh, const char **ns)
 
 		error = verify_profile(profile);
 		if (error) {
-			aa_put_profile(profile);
+			aa_free_profile(profile);
 			goto fail;
 		}
 
-- 
1.8.1.2

More information about the AppArmor mailing list